Scammers Pretend to Be Friendly Office Printers

Hackers have found a new hook to trick people into opening malicious attachments: send emails that purport to come from office printers, many of which now have the ability to email scanned documents.

"This is a new tactic we haven't really seen before," said Paul Wood, senior intelligence analyst for Symantec.cloud, the company's Web-based security and email branch.

The emails invariably contain some kind of Trojan downloader, which can be used to download other malware or steal documents from the computer.

Symantec published examples of the emails collected recently in its latest monthly Symantec Intelligence Report, released on Tuesday. The emails at first glance look quite convincing, with a subject line "Fwd: Scan from a HP Officejet." The email reads "Attached document was scanned and sent to you using a Hewlett-Packard HP Officejet 05701J" and then "Sent by Morton."

Wood said it is common for the scammmers to spoof the sender's name and make it appear the email came from the same domain as the one that belongs to the recipient. Some of the messages captured by Symantec appear to be at a cursory glance internal company email, which makes it more likely that the person who receives the message will open the attachment.

The attachment is a ".zip" file, which is odd. Wood said it is unlikely that most printers with the email sending ability can actually send a ".zip" file; those printers mostly send image file, he said.

Although Windows has the ability to open ".zip" files, there is evidence the scammers are trying to obscure the ".zip" extension for those who use third-party tools to unzip the content. In some archiving tools, the malicious attachment appears to have a ".doc" or ".jpg" file extension. The hackers have manipulated file names to make it less likely to arouse suspicions, Wood said.

The overall social-engineering technique is along the same lines as other methods observed of late, such as sending emails purporting to be from well-known couriers with various malicious attachments, Wood said.

Send news tips and comments to jeremy_kirk@idg.com

Subscribe to the Security Watch Newsletter

Comments